Towards an Organizational Culture Framework for Information Security Practices

2012 ◽  
pp. 296-315 ◽  
Author(s):  
Joo Soon Lim ◽  
Shanton Chang ◽  
Atif Ahmad ◽  
Sean Maynard
Keyword(s):  
Organizational Culture ◽  
Information Security ◽  
Large Body ◽  
Future Research ◽  
Security Culture ◽  
Research Areas ◽  
Systematic Improvement ◽  
Security Practices ◽  
Culture Characteristics ◽  
Considerable Impact

In organizations, employee behaviour has a considerable impact on information security. The organizational culture (OC) that shapes acceptable employee behaviours is therefore significant. A large body of literature exists that calls for the cultivation of security culture to positively influence information security related behaviour of employees. However, there is little research examining OC that enables the implementation of information security. The authors address the unsubstantiated claim that there is an important relationship between OC and the ability to successfully implement information security. Findings suggest that security practices can be successfully implemented within eight organizational culture characteristics. Investigation of these organizational culture characteristics from a security perspective is an important step toward future empirical research aimed at understanding the relationship between OC and the implementation of systematic improvement of security practices. The research and practical implications of these findings are discussed, and future research areas are explored.

Investigating the Concept of Information Security Culture

2012 ◽  
pp. 1-12 ◽  
Author(s):  
Daniel Oost ◽  
Eng K. Chew
Keyword(s):  
Information Security ◽  
Future Research ◽  
Security Culture ◽  
Second Nature ◽  
Human Aspect ◽  
Concept Of Information ◽  
Mystical State ◽  
Published Research ◽  
Information Security Culture

The concept of an “information security culture” is relatively new. A review of published research on the topic suggests that it is not the information security panacea that has been suggested. Instead, it tends to refer to a range of existing techniques for addressing the human aspect of information security, oversimplifying the link between culture and behaviour, exaggerating the ease with which a culture can be adjusted, and treating culture as a monolith, set from the top. Evidence for some of the claims is also lacking. This chapter finds that the term “information security culture” is ambiguous and vague enough to suggest the possibility of achieving an almost mystical state, whereby behaviour consistent with information security is second nature to all employees, but when probed does not deliver. Instead, future research should be clear about what it considers information security culture to be, should provide evidence for claims, and should take complexity and context seriously.

Information security culture – state-of-the-art review between 2000 and 2013

2015 ◽  
Vol 23 (3) ◽  
pp. 246-285 ◽  
Author(s):  
Fredrik Karlsson ◽  
Joachim Åström ◽  
Martin Karlsson
Keyword(s):  
Information Security ◽  
Research Methods ◽  
State Of The Art ◽  
Assessment Tools ◽  
Future Research ◽  
Research Topics ◽  
Content Type ◽  
Security Culture ◽  
Systems Research ◽  
Information Security Culture

Purpose – The aim of this paper is to survey existing information security culture research to scrutinise the kind of knowledge that has been developed and the way in which this knowledge has been brought about. Design/methodology/approach – Results are based on a literature review of information security culture research published between 2000 and 2013 (December). Findings – This paper can conclude that existing research has focused on a broad set of research topics, but with limited depth. It is striking that the effects of different information security cultures have not been part of that focus. Moreover, existing research has used a small repertoire of research methods, a repertoire that is more limited than in information systems research in general. Furthermore, an extensive part of the research is descriptive, philosophical or theoretical – lacking a structured use of empirical data – which means that it is quite immature. Research limitations/implications – Findings call for future research that: addresses the effects of different information security cultures; addresses the identified research topics with greater depth; focuses more on generating theories or testing theories to increase the maturity of this subfield of information security research; and uses a broader set of research methods. It would be particularly interesting to see future studies that use intervening or ethnographic approaches because, to date, these have been completely lacking in existing research. Practical implications – Findings show that existing research is, to a large extent, descriptive, philosophical or theoretical. Hence, it is difficult for practitioners to adopt these research results, such as frameworks for cultivating or assessment tools, which have not been empirically validated. Originality/value – Few state-of-the-art reviews have sought to assess the maturity of existing research on information security culture. Findings on types of research methods used in information security culture research extend beyond the existing knowledge base, which allows for a critical discussion about existing research in this sub-discipline of information security.

Toward a Unified View of Dynamic Information Security Behaviors

2021 ◽  
Vol 52 (1) ◽  
pp. 65-90
Author(s):  
Canchu Lin ◽  
Xin (Robert) Luo
Keyword(s):  
Organizational Culture ◽  
Information Security ◽  
Organizational Context ◽  
Organizational Factors ◽  
Future Research ◽  
Security Research ◽  
Unified View ◽  
Future Research Directions ◽  
The Individual ◽  
Security Behaviors

Extant information systems security research identified and examined a variety of individual as well as organizational factors influencing information security behaviors, but rarely offered sufficient theoretical insight into the interaction of the individual factors with the organizational context in impacting information security behaviors. To fill this gap, this study proposes a theoretical framework that builds on the concepts of organizational culture and sensemaking to show that: 1) information security behaviors are outcomes of sensemaking; and 2) sensemaking is enabled as well as constrained by organizational culture. This study further epitomizes that information security diagnosing, solving, and performing behaviors emerge as outcomes of sensemaking about information security during the organization's interactions with technology. Theoretical and pragmatic contributions of this framework and future research directions are also demonstrated.

An activity theory approach to information security non-compliance

2020 ◽  
Vol 28 (4) ◽  
pp. 485-501
Author(s):  
Rima Khatib ◽  
Henri Barki
Keyword(s):  
Information Security ◽  
Activity Theory ◽  
Task Characteristics ◽  
Future Research ◽  
Theory Approach ◽  
Content Type ◽  
Organizational Contexts ◽  
Research Areas ◽  
It Systems ◽  
New Research

Purpose The purpose of this paper is to introduce activity theory (AT) as a new theoretical lens to the field of information security non-compliance by explaining how research in that field can benefit from AT and to suggest eight propositions for future research. Design/methodology/approach Based on AT, the paper suggests that employees, IT systems, task characteristics, information security policies (ISPs), community and division of labor can be viewed to form an ensemble that is labeled activity. Their characteristics and/or the relationships that exist between them in organizational contexts are hypothesized to influence non-compliance behaviors. Findings The paper suggests that AT provides a broad lens that can be useful for explaining a large variety of non-compliant behaviors related to information security. Research limitations/implications The paper focuses only on non-compliant behaviors that employees undertake with non-malicious intentions and offers avenues for future research based on the propositions that are developed in the paper. Originality/value The paper provides a useful step toward a better understanding of non-compliant ISP behaviors. In addition, it proposes and explains new research areas in the non-compliance field.

scholarly journals Comparison of Adaptive Information Security Approaches

2013 ◽  
Vol 2013 ◽  
pp. 1-18 ◽  
Author(s):  
Antti Evesti ◽  
Eila Ovaska
Keyword(s):  
Information Security ◽  
Information Gathering ◽  
Future Research ◽  
Software Developers ◽  
Changing Environments ◽  
Design Time ◽  
Research Areas ◽  
The Future

Dynamically changing environments and threat landscapes require adaptive information security. Adaptive information security makes it possible to change and modify security mechanisms at runtime. Hence, all security decisions are not enforced at design-time. This paper builds a framework to compare security adaptation approaches. The framework contains three viewpoints, that is, adaptation, security, and lifecycle. Furthermore, the paper describes five security adaptation approaches and compares them by means of the framework. The comparison reveals that the existing security adaptation approaches widely cover the information gathering. However, the compared approaches do not describe how to decide a method to perform a security adaptation. Similarly, means how to provide input knowledge for the security adaptation is not covered. Hence, these research areas have to be covered in the future. The achieved results are applicable for software developers when selecting a security adaptation approach and for researchers when considering future research items.

Human and Social Aspects of Password Authentication

2011 ◽  
pp. 1-14 ◽  
Author(s):  
Deborah S. Carstens
Keyword(s):  
Information Security ◽  
Computer Security ◽  
Human Error ◽  
Human Memory ◽  
Human Dimensions ◽  
Future Research ◽  
Password Authentication ◽  
Research Areas ◽  
Emerging Trends ◽  
Electronic Transactions

With the increasing daily reliance on electronic transactions, it is essential to have reliable security practices for individuals, businesses, and organizations to protect their information (Vu, Bhargav, & Proctor, 2003; Vu, Tai, Bhargav, Schultz, & Proctor, 2004). A paradigm shift is occurring as researchers are targeting social and human dimensions of information security, as this aspect is seen as an area where control can be exercised. Since computer security is largely dependent on the use of passwords to authenticate users of technology, the objectives of this chapter are to (a) provide a background on password authentication and information security, (b) provide a discussion on security techniques, human error in information security, human memory limitations, and password authentication in practice, and (c) provide a discussion on future and emerging trends in password authentication to include future research areas.

The buyer–seller relationship: a literature synthesis on dynamic perspectives

2020 ◽  
Vol 35 (4) ◽  
pp. 669-684 ◽  
Author(s):  
Khalid Hussain ◽  
Fengjie Jing ◽  
Muhammad Junaid ◽  
Huayu Shi ◽  
Usman Baig
Keyword(s):  
Management Strategies ◽  
Large Body ◽  
Relationship Development ◽  
Future Research ◽  
Content Type ◽  
Research Areas ◽  
Dynamic Relationship ◽  
Dynamic Perspective ◽  
Relationship Lifecycle ◽  
Seller Relationship

Purpose Contemporary scholars contend that the buyer–seller relationship is dynamic in nature, so it grows, matures and declines over time. However, most studies that adopt the dynamic perspective debates its conceptualization and how dynamic effects are captured. This scholarly discourse has led to multiple dynamic perspectives and resulted in fragmented and scattered literature on the subject. This study aims to synthesize the large body of research on dynamic perspectives in a systematic way. Design/methodology/approach This paper follows a systematic review approach to extract and review 192 research articles from four electronic databases: Web of Science, EBSCOhost Business, ScienceDirect and Emerald. Based on the inclusion criteria that the articles examine time-dependent relationship development in light of a generalizable dynamic perspective, 61 articles were selected for the final examination and reporting. Findings This review reveals that most research on the buyer–seller dynamic relationship follows at least one of four perspectives: the relationship lifecycle, relationship age, relationship velocity and the asymmetric–dynamic perspective. Each perspective offers a distinct conceptualization of relationship development and has certain advantages that enable researchers to capture information about relationships’ growth trajectory in a unique manner. Practical implications Firms need a set of diverse strategies for their customers, depending on the state of the relationships’ development, as strategies that pay off at initial levels may fail at later stages. This study helps managers select an appropriate dynamic perspective that best aligns with their customers’ stage of relationship development so they can devise customized relationship-management strategies. Originality/value To the best of the authors’ knowledge, this article is the first attempt to organize the discourse of a large body of research on dynamic perspectives, and therefore it helps academicians and practitioners to choose the dynamic perspective that best suits their objectives and research settings. This review documents key research areas that have been overlooked and highlights opportunities for future research.

The formation of information security culture of college students

2019 ◽  
pp. 29-36
Author(s):  
I. D. Rudinskiy ◽  
D. Ya. Okolot
Keyword(s):  
College Students ◽  
Information Security ◽  
Information Society ◽  
Technical Aspect ◽  
Data Sources ◽  
Structural Components ◽  
Security Culture ◽  
The Individual ◽  
Information Security Culture ◽  
Ability And Willingness

The article discusses aspects of the formation of information security culture of college students. The relevance of the work is due to the increasing threats to the information security of the individual and society due to the rapid increase in the number of information services used. Based on this, one of the important problems of the development of the information society is the formation of a culture of information security of the individual as part of the general culture in its socio-technical aspect and as part of the professional culture of the individual. The study revealed the structural components of the phenomenon of information security culture, identified the reasons for the interest in the target group of students. It justifies the need for future mid-level specialists to form an additional universal competency that ensures the individual’s ability and willingness to recognize the need for certain information, to identify and evaluate the reliability and reliability of data sources. As a result of the study, recommendations were formulated on the basis of which a culture of information security for college students can be formed and developed and a decomposition of this process into enlarged stages is proposed. The proposals on the list of disciplines are formulated, within the framework of the study of which a culture of information security can develop. The authors believe that the recommendations developed will help future mid-level specialists to master the universal competency, consisting in the ability and willingness to recognize the need for certain information, to identify and evaluate the reliability and reliability of data sources, as well as to correctly access the necessary information and its further legitimate use, which ultimately forms a culture of information security.

Sign in / Sign up

Export Citation Format

Share Document